See Rafeeqs comment for full explanation
https://www-secure.symantec.com/connect/forums/current-ip-historical-ip-remote-ip-address-ntp-attack-logs-sepm-121#comment-8903051
Per Rafeeq:
"Current IP Address
This is the IP address the client has now (or had at the last time it talked to SEPM).
Historical IP Address
This is the IP address the client had when the attack occurred.
Remote Host IP
This is the IP address of the other guy (usually the guy attacked this system)"